XMLWordPrintable

      From an external report:

      Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the following URL:
      https://confluence/pages/editattachment.action
      As a means to prove the concept proposed by this issue, we added the value "<script>alert(1)</script>file" (without quotes) in the newFileName field. Such as described in the image named xss.png (attached).
      After the aforementioned insertion, the script executes successfully whenever a user visits the vulnerable page, which in turn, is available at:
      https://confluence/dosearchsite.action?queryString="
      As can be seen in the images named xss1.png and xss2.png (attached).

        1. confluence-search-2.3.13-SNAPSHOT.jar
          157 kB
          Feng Xu
        2. xss.png
          33 kB
          Ashley Blackmore
        3. xss1.png
          66 kB
          Ashley Blackmore
        4. xss2.png
          91 kB
          Ashley Blackmore

              fxu Feng Xu (Inactive)
              c0a03ec99fd7 Jodson Santos
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: